A Guide to Mobile Security Risk Assessment

Posted by SaferMobile on Jun 10, 2011

safetyicon

You are an activist, rights defender, or journalist. You use a mobile device. And you work in sometimes risky situations in your country.

This guide will help you implement mobile security practices in your work. It will help you assess the particular risks that face you and then assist you in developing a plan to mitigate those risks.

We have previously published a Mobile Risk Primer that describes general security vulnerabilities associated with mobile technology and communication. Read it!

Throughout this guide, we'll also highlight the fictitious case of Asima, a blogger and activist in Egypt. Examples of how Asima might complete the assessment worksheet and create a security plan for her work are highlighted in this guide.

Asima lives in Cairo, Egypt and is a blogger and an activist. She used to maintain a blog on Blogspot, but now mostly uses Facebook and Twitter to follow current events, to share information, and to communicate with colleagues. She tweets from her mobile phone while in traffic and at cafes and protests and from her computer when she is at work or at home.

Asima works with other activists to organize events and often sends SMS messages to them. She is aware that she is a known activist and that security services are likely tracking her by reading her tweets, looking at her Facebook postings, and possibly tracking her SMS messages. Her phone number was disabled for a few weeks following recent protests, and she has since purchased a new SIM card. She has never been arrested. While she freely expresses her opinions on Facebook and Twitter, she tries to communicate tactically sensitive information in person. If she does communicate sensitive information via phone or SMS, she speaks about it in coded ways that she and her colleagues have agreed upon.

First, two important notes about security.

The first thing to remember that security assessment and risk mitigation are resource-intensive processes. The aim of this guide is to help you formulate a realistic plan for yourself that you can manage yourself.

For all situations, we suggest first addressing easily-managed risks. Then focus on more resource-intensive mitigation tactics for risks that carry the highest impact and probability of happening to you.

Secondly, this guide is specific to mobile risks that you may face.

We advise that you conduct similar security and risk assessments for all of your communications - online and offline. Remember that your mobile security is only a part of the tools you use. You may find that as the functionalities of your mobile device and mobile network increase, the lines between mobile information security will become less distinct. For an excellent guide on assessing and addressing additional security needs, see this Frontline Defenders publication.

What is Risk? Understanding Risk, Vulnerability, Threat

In the context of security, risk, has a particular meaning.  

  • Risk is the probability that something bad -- an event -- will occur that causes harm or loss.
  • A vulnerability is a weakness that could be used to endanger or cause harm.
  • A threat is anything that has the potential to cause harm.

So - What creates a risk for you? The likelihood that a threat will use a vulnerability to cause you harm.

For example, Asima is planning a sensitive political meeting and is using SMS. The threat is that someone intercepts the message (listens) and determines the location and time of the meeting. SMS is inherently vulnerable in that all SMS are sent unencrypted. The risk level may be high if Asima's identity (or the identity of those she is communicating with) is known to the authorities and the level of sensitivity of the meeting high.

It is not possible to identify all risks, nor is it possible to eliminate all risks. Your goal should be to understand your risks and know how to mitigate as much risk as possible.

While many different types of technical threats exist, operational threat types are described in five basic ways. Attackers can listen, modify, spoof, identify, and interrupt mobile communications. The table below describes these.

Threat Description
Listening A call can be listened to or transmitted data can be read.
Modifying Primarily a threat for data transmissions. The transmitted data can be modified.
Spoofing A threat when the authenticity of the user is not guaranteed.
Identifying The user identity and/or location is revealed.
Interrupting Connectivity to the network is disrupted.

Contributing factors in understanding risk

Based on your experience, you and your colleagues likely have a sense of the threats you face. Consider the following:

1. Your operational environment

  • Political and human rights - Are political and human rights respected in the country that you are working in? If you are working in a location that restricts civil liberties, even the smallest project could be high risk. For additional assistance considering the political and human rights context of your project, see this Freedom House map.
  • Reputation - Connections to other organizations could both provide protection and increase your risks. Among your team, are some of you more at risk than others? Are you part of a larger network? Do you have foreign partners? Does your association with these entities increase the likelihood of risk?
  • Issue and controversy - How are the issues that you work on seen by the population in which you work? Do you have support from the general population? Are the issues you work on particularly controversial?

2. Technological vulnerabilities and threat

  • Mobile networks and devices - Are you aware of the general vulnerabilities of mobile communication and whether your phone calls and messages are easily threatened? Do you know how mobile networks operate and what information your mno knows about you? See this SaferMobile Mobile Risk Primer.
  • Availability and reliability of service - Are you able to use your mobile device for communication in all locations where you will be working? Is service generally reliable or often disrupted, intentionally or unintentionally?
  • Policy and oversight - What are the policies regulating whether and how governments and other entities can intercept your communications and access your communication records?

3. The legality of your tactics and tools

  • Are the tactics you are using considered legal where you are working? If they are illegal, your risk increases considerably.  (For the record: We do not condone or support any illegal activities.)
  • Are the security tools that you are using legal or illegal? For example, is it legal to encrypt your communications?

Mobile Risk Assessment and Worksheet

This worksheet will help you conduct your own assessment to better understand your level of risk in your use of mobile technology. This risk assessment process involves the following steps.

  1. Think about your most sensitive information. Ask yourself: What am I most worried about in terms of information that I send or receive?
  2. Classify the sensitivity of this information, according to your level of risk.
  3. Consider how you use mobile technology to communicate this sensitive information and the vulnerabilities of these methods.
  4. Choose and practice methods to better protect yourself from threats.

You can use the worksheet to asses your unique mobile risks. It is a simple template to be filled in by you. The first row of the worksheet provides example responses from an Iranian activist. Read on for the risk assessment process below as you complete the template.

1. Think about the information and data you are most worried about.

Think about your most sensitive information and data. Sensitive information, unlike public content, is information that will put you or your operation at risk if it is known by people other than yourself and your trusted colleagues. Contact information of your network is probably high on that list. Photos and videos may be sensitive information.

Asima is concerned about these types of information:
 

  • Since Asima uses an app to send tweets, she is worried about exposing her username and password if her phone is lost or taken.
  • She is also worried that someone could impersonate her (spoofing) and post to social networks on her behalf.
  • Asima is also concerned that the application she uses to post on social networks includes her location information and may track that information without her knowing (identifying).
  • Though she communicates mostly using coded messages on her mobile phone, Asima worries that if her device were taken, messages could be deciphered and contact info of her colleagues retrieved.
  • She is concerned about SMS messages being read, possibly by security services accessing mobile network data.
  • Lastly, she thinks about loss of service (interrupting) as networks have been unreliable in critical situations.

2. Classify the sensitivity of information.

Once you have identified the areas of information that you are concerned about, classify these according to risk level.

For simplicity's sake, we suggest you consider 4 levels of risk:

  1. Public - Public information can be freely distributed by you, your organization, and your supporters, without any risk to individuals or organizational operations. In communicating public information, you can send and receive this information without taking any precautions. For example: A public press releases might fall in this category. 
  2. Low - Release of low-risk information may result in minimal risk to you, your colleagues and community, and your organization.  For example: A text message reminding people to vote on an election day might be low-risk if there is a low risk of irregularities at the polling stations. 
  3. Medium - Release of medium-risk information may result in risk to you, your colleagues and community, and your organization. In order for individuals to protect themselves against such risks, individuals and the organization may have to adjust behaviors and tactics.  For example: A message informing people of an event at which you do not want people outside of your organization present (such as reporters), might be medium risk. 
  4. High - Release of high-risk information may result in risk to you, your colleagues and community, and your organization. Individuals might face serious physical risk and personal loss that can not be remedied. The operations of the organization might be jeopardized, endangering the ability of the organization to continue operating. Example: Names and contact information of a sensitive network of people involved in your work.
Asima communicates high-risk information. Outside of mobile use, she communicates tactically sensitive information in person. On her mobile, hish-risk information includes:
  • The names, numbers, photos, email, contact information, and Twitter handles of colleagues who are unknown (and who would be in danger if known as a participant in resistance activities) is high risk information.
  • The username and password for Asima's Twitter account is high-risk information. (As is the username and password for other applications or services.)
  • Photos and videos documenting events that could incriminate a party or connect individuals with activism activities is also high risk.

3. Assess how you communicate and store this sensitive information with your mobile. Understand the vulnerabilities of these methods.

Now, think about how you (or your organization) communicate this sensitive information via mobile phone. In considering this, include all parties involved (such as the sender and receiver of data), the purpose, and the content of the communication. You may be able to list some mobile-related threats; the Mobile Risk Primer will help you to understand even more of the technical vulnerabilities and threats you face. Use the worksheet to help with this. 

To ensure that your list is thorough, list your uses based on the mode such as voice, SMS, MMS, email, web, photo and video capture.

Asima is using multiple mobile channels: Data (such as mobile web, apps, and Twitter), SMS, and voice. While she tries to communicate tactically sensitive information in person, she does communicate sensitive information via phone or SMS. In this case, she speaks about it in a code that she and her colleagues have agreed upon.

4. Protect yourself and your information against threats. 

  • Pick low-hanging fruit. For all situations, we suggest addressing every easily-managed risk. This includes things like setting strong passwords and carrying extra batteries. Choose more resource-intensive mitigation tactics for serious risks that carry the highest probability of happening.

Low-hanging fruit for Asima includes the following:
  • She has strong passwords for her PIN, SIM, and accounts. She tries to change these passwords frequently.
  • As a backup, Asima carries extra batteries and a replacement SIM card in case of mobile network shut down. She makes sure there is plenty of credit on her phone.
  • Asima tries to use, as much as possible, a secure connection to the mobile web (such as HTTPS), especially when logging in to any online accounts.
  • She also frequently deletes browsing history and SMS messages from her mobile phone. She updates the mobile web browser to ensure she has the latest version.
  • After you have addressed low-hanging fruit (low and easily managed risks), choose more resource-intensive mitigation tactics for serious risks which carry the highest probability of happening. This is important as you may have a long list of mobile communication uses and risks after completing the worksheet.

Plan first for those rated‚"high" as these would be the most damaging to yourself, your organization, and your work. It makes sense to focus also on those that are most probable.  Remember that planning for high risk may be resource-intensive, you may ultimately save time and energy by protecting yourself from it.

While at protests or gatherings, Asima takes other precautions, too. This includes silencing her ringer and mobile camera flash when in public. While some protests are public gatherings, if Asima is traveling to an undisclosed location, she removes the mobile battery and avoids talking about sensitive locations with insecure methods. She also plans to scrub photos of location informatio and delete sensitive videos. She keeps only few contacts in her address book and the most sensitive of those are pseudonyms.
  • Finally, plan for loss of your device or service. For all vital communications, have a backup plan (such as a meeting point, an alternative number, or a friend you can contact) in case you lose your device or service.
What if Asima's mobile device is taken by authorities at a protest gathering? She has a backup plan in place in case this happens. This allows her to continue her work and stay in touch with colleagues. Her back-up plan includes the following:
  • Before attending events, she has a developed security policy in place with her colleagues. Her entire team is aware of an alternative mechanism for communication. This may be important, too, for network failure situations.
  • She will communicate in person with her colleagues. A code has been established to make person-to-person communication more secure.
  • She has installed SaferMobile InTheClear application. InTheClear lets her preset an emergency SMS to a set of contacts (Shout!) with a single menu click (Panic!). InTheClear also allows her to unobtrusively erase her address book from her phone (Wipe!), should it be taken from her.
  • She has also coded names in her mobile address book to better protect their anonymity.

Tagged With:

A Guide to Mobile Security Risk Assessment data sheet 2250 Views

safetyicon

You are an activist, rights defender, or journalist. You use a mobile device. And you work in sometimes risky situations in your country.

This guide will help you implement mobile security practices in your work. It will help you assess the particular risks that face you and then assist you in developing a plan to mitigate those risks.

We have previously published a Mobile Risk Primer that describes general security vulnerabilities associated with mobile technology and communication. Read it!

Throughout this guide, we'll also highlight the fictitious case of Asima, a blogger and activist in Egypt. Examples of how Asima might complete the assessment worksheet and create a security plan for her work are highlighted in this guide.

Asima lives in Cairo, Egypt and is a blogger and an activist. She used to maintain a blog on Blogspot, but now mostly uses Facebook and Twitter to follow current events, to share information, and to communicate with colleagues. She tweets from her mobile phone while in traffic and at cafes and protests and from her computer when she is at work or at home.

Asima works with other activists to organize events and often sends SMS messages to them. She is aware that she is a known activist and that security services are likely tracking her by reading her tweets, looking at her Facebook postings, and possibly tracking her SMS messages. Her phone number was disabled for a few weeks following recent protests, and she has since purchased a new SIM card. She has never been arrested. While she freely expresses her opinions on Facebook and Twitter, she tries to communicate tactically sensitive information in person. If she does communicate sensitive information via phone or SMS, she speaks about it in coded ways that she and her colleagues have agreed upon.

First, two important notes about security.

The first thing to remember that security assessment and risk mitigation are resource-intensive processes. The aim of this guide is to help you formulate a realistic plan for yourself that you can manage yourself.

For all situations, we suggest first addressing easily-managed risks. Then focus on more resource-intensive mitigation tactics for risks that carry the highest impact and probability of happening to you.

Secondly, this guide is specific to mobile risks that you may face.

We advise that you conduct similar security and risk assessments for all of your communications - online and offline. Remember that your mobile security is only a part of the tools you use. You may find that as the functionalities of your mobile device and mobile network increase, the lines between mobile information security will become less distinct. For an excellent guide on assessing and addressing additional security needs, see this Frontline Defenders publication.

What is Risk? Understanding Risk, Vulnerability, Threat

In the context of security, risk, has a particular meaning.  

  • Risk is the probability that something bad -- an event -- will occur that causes harm or loss.
  • A vulnerability is a weakness that could be used to endanger or cause harm.
  • A threat is anything that has the potential to cause harm.

So - What creates a risk for you? The likelihood that a threat will use a vulnerability to cause you harm.

For example, Asima is planning a sensitive political meeting and is using SMS. The threat is that someone intercepts the message (listens) and determines the location and time of the meeting. SMS is inherently vulnerable in that all SMS are sent unencrypted. The risk level may be high if Asima's identity (or the identity of those she is communicating with) is known to the authorities and the level of sensitivity of the meeting high.

It is not possible to identify all risks, nor is it possible to eliminate all risks. Your goal should be to understand your risks and know how to mitigate as much risk as possible.

While many different types of technical threats exist, operational threat types are described in five basic ways. Attackers can listen, modify, spoof, identify, and interrupt mobile communications. The table below describes these.

Threat Description
Listening A call can be listened to or transmitted data can be read.
Modifying Primarily a threat for data transmissions. The transmitted data can be modified.
Spoofing A threat when the authenticity of the user is not guaranteed.
Identifying The user identity and/or location is revealed.
Interrupting Connectivity to the network is disrupted.

Contributing factors in understanding risk

Based on your experience, you and your colleagues likely have a sense of the threats you face. Consider the following:

1. Your operational environment

  • Political and human rights - Are political and human rights respected in the country that you are working in? If you are working in a location that restricts civil liberties, even the smallest project could be high risk. For additional assistance considering the political and human rights context of your project, see this Freedom House map.
  • Reputation - Connections to other organizations could both provide protection and increase your risks. Among your team, are some of you more at risk than others? Are you part of a larger network? Do you have foreign partners? Does your association with these entities increase the likelihood of risk?
  • Issue and controversy - How are the issues that you work on seen by the population in which you work? Do you have support from the general population? Are the issues you work on particularly controversial?

2. Technological vulnerabilities and threat

  • Mobile networks and devices - Are you aware of the general vulnerabilities of mobile communication and whether your phone calls and messages are easily threatened? Do you know how mobile networks operate and what information your mno knows about you? See this SaferMobile Mobile Risk Primer.
  • Availability and reliability of service - Are you able to use your mobile device for communication in all locations where you will be working? Is service generally reliable or often disrupted, intentionally or unintentionally?
  • Policy and oversight - What are the policies regulating whether and how governments and other entities can intercept your communications and access your communication records?

3. The legality of your tactics and tools

  • Are the tactics you are using considered legal where you are working? If they are illegal, your risk increases considerably.  (For the record: We do not condone or support any illegal activities.)
  • Are the security tools that you are using legal or illegal? For example, is it legal to encrypt your communications?

Mobile Risk Assessment and Worksheet

This worksheet will help you conduct your own assessment to better understand your level of risk in your use of mobile technology. This risk assessment process involves the following steps.

  1. Think about your most sensitive information. Ask yourself: What am I most worried about in terms of information that I send or receive?
  2. Classify the sensitivity of this information, according to your level of risk.
  3. Consider how you use mobile technology to communicate this sensitive information and the vulnerabilities of these methods.
  4. Choose and practice methods to better protect yourself from threats.

You can use the worksheet to asses your unique mobile risks. It is a simple template to be filled in by you. The first row of the worksheet provides example responses from an Iranian activist. Read on for the risk assessment process below as you complete the template.

1. Think about the information and data you are most worried about.

Think about your most sensitive information and data. Sensitive information, unlike public content, is information that will put you or your operation at risk if it is known by people other than yourself and your trusted colleagues. Contact information of your network is probably high on that list. Photos and videos may be sensitive information.

Asima is concerned about these types of information:
 

  • Since Asima uses an app to send tweets, she is worried about exposing her username and password if her phone is lost or taken.
  • She is also worried that someone could impersonate her (spoofing) and post to social networks on her behalf.
  • Asima is also concerned that the application she uses to post on social networks includes her location information and may track that information without her knowing (identifying).
  • Though she communicates mostly using coded messages on her mobile phone, Asima worries that if her device were taken, messages could be deciphered and contact info of her colleagues retrieved.
  • She is concerned about SMS messages being read, possibly by security services accessing mobile network data.
  • Lastly, she thinks about loss of service (interrupting) as networks have been unreliable in critical situations.

2. Classify the sensitivity of information.

Once you have identified the areas of information that you are concerned about, classify these according to risk level.

For simplicity's sake, we suggest you consider 4 levels of risk:

  1. Public - Public information can be freely distributed by you, your organization, and your supporters, without any risk to individuals or organizational operations. In communicating public information, you can send and receive this information without taking any precautions. For example: A public press releases might fall in this category. 
  2. Low - Release of low-risk information may result in minimal risk to you, your colleagues and community, and your organization.  For example: A text message reminding people to vote on an election day might be low-risk if there is a low risk of irregularities at the polling stations. 
  3. Medium - Release of medium-risk information may result in risk to you, your colleagues and community, and your organization. In order for individuals to protect themselves against such risks, individuals and the organization may have to adjust behaviors and tactics.  For example: A message informing people of an event at which you do not want people outside of your organization present (such as reporters), might be medium risk. 
  4. High - Release of high-risk information may result in risk to you, your colleagues and community, and your organization. Individuals might face serious physical risk and personal loss that can not be remedied. The operations of the organization might be jeopardized, endangering the ability of the organization to continue operating. Example: Names and contact information of a sensitive network of people involved in your work.
Asima communicates high-risk information. Outside of mobile use, she communicates tactically sensitive information in person. On her mobile, hish-risk information includes:
  • The names, numbers, photos, email, contact information, and Twitter handles of colleagues who are unknown (and who would be in danger if known as a participant in resistance activities) is high risk information.
  • The username and password for Asima's Twitter account is high-risk information. (As is the username and password for other applications or services.)
  • Photos and videos documenting events that could incriminate a party or connect individuals with activism activities is also high risk.

3. Assess how you communicate and store this sensitive information with your mobile. Understand the vulnerabilities of these methods.

Now, think about how you (or your organization) communicate this sensitive information via mobile phone. In considering this, include all parties involved (such as the sender and receiver of data), the purpose, and the content of the communication. You may be able to list some mobile-related threats; the Mobile Risk Primer will help you to understand even more of the technical vulnerabilities and threats you face. Use the worksheet to help with this. 

To ensure that your list is thorough, list your uses based on the mode such as voice, SMS, MMS, email, web, photo and video capture.

Asima is using multiple mobile channels: Data (such as mobile web, apps, and Twitter), SMS, and voice. While she tries to communicate tactically sensitive information in person, she does communicate sensitive information via phone or SMS. In this case, she speaks about it in a code that she and her colleagues have agreed upon.

4. Protect yourself and your information against threats. 

  • Pick low-hanging fruit. For all situations, we suggest addressing every easily-managed risk. This includes things like setting strong passwords and carrying extra batteries. Choose more resource-intensive mitigation tactics for serious risks that carry the highest probability of happening.

Low-hanging fruit for Asima includes the following:
  • She has strong passwords for her PIN, SIM, and accounts. She tries to change these passwords frequently.
  • As a backup, Asima carries extra batteries and a replacement SIM card in case of mobile network shut down. She makes sure there is plenty of credit on her phone.
  • Asima tries to use, as much as possible, a secure connection to the mobile web (such as HTTPS), especially when logging in to any online accounts.
  • She also frequently deletes browsing history and SMS messages from her mobile phone. She updates the mobile web browser to ensure she has the latest version.
  • After you have addressed low-hanging fruit (low and easily managed risks), choose more resource-intensive mitigation tactics for serious risks which carry the highest probability of happening. This is important as you may have a long list of mobile communication uses and risks after completing the worksheet.

Plan first for those rated‚"high" as these would be the most damaging to yourself, your organization, and your work. It makes sense to focus also on those that are most probable.  Remember that planning for high risk may be resource-intensive, you may ultimately save time and energy by protecting yourself from it.

While at protests or gatherings, Asima takes other precautions, too. This includes silencing her ringer and mobile camera flash when in public. While some protests are public gatherings, if Asima is traveling to an undisclosed location, she removes the mobile battery and avoids talking about sensitive locations with insecure methods. She also plans to scrub photos of location informatio and delete sensitive videos. She keeps only few contacts in her address book and the most sensitive of those are pseudonyms.
  • Finally, plan for loss of your device or service. For all vital communications, have a backup plan (such as a meeting point, an alternative number, or a friend you can contact) in case you lose your device or service.
What if Asima's mobile device is taken by authorities at a protest gathering? She has a backup plan in place in case this happens. This allows her to continue her work and stay in touch with colleagues. Her back-up plan includes the following:
  • Before attending events, she has a developed security policy in place with her colleagues. Her entire team is aware of an alternative mechanism for communication. This may be important, too, for network failure situations.
  • She will communicate in person with her colleagues. A code has been established to make person-to-person communication more secure.
  • She has installed SaferMobile InTheClear application. InTheClear lets her preset an emergency SMS to a set of contacts (Shout!) with a single menu click (Panic!). InTheClear also allows her to unobtrusively erase her address book from her phone (Wipe!), should it be taken from her.
  • She has also coded names in her mobile address book to better protect their anonymity.
 




		




 







  


  
Post new comment


  



 
 




 
 
 
The content of this field is kept private and will not be shown publicly.





 
 




 
 




 
 



  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><p><br> <b><i><blockquote>
  • Lines and paragraphs break automatically.
More information about formatting options